Chapter 20: The Law and Your Exchange Environment
It should come as no surprise to the reader that the legal chapter begins with a disclaimer. Securing Microsoft Exchange messaging systems, as astutely summarized in Appendix A, The Ten Immutable Laws, touches on a thicket of legal issues that cannot be addressed in one chapter of commentary . The legal issues here range from the deepest where do we go next questions about balancing privacy with surveillance in the digital era, to the most mundane aspects of security like Who can unlock my office? This chapter provides you with general legal information regarding the issues raised by administrator monitoring of employee computer use, enforcement of e-mail and Internet policies, and other potential exposure to conflict and liability. However, it s not legal advice (even though it was written by an attorney).
| Tip | This chapter is primarily concerned with United States laws. Many of the general principles described here are the same in most Western countries , but local laws and interpretations do vary ”be sure to contact an attorney who is certified in your country if you have questions. |
Assumptions
To start this discussion, you need to know some basic terms and assumptions as they apply to the Exchange administrator and the Exchange network. Like cryptography and security, law relies on a specialized vocabulary. Rather than delving too deeply into it, I ll narrow the factual assumptions we are dealing with and hopefully simplify the application of the general legal principles.
Let s assume the network is proprietary (meaning that Joe Public doesn t have access to it), and access to and use of its servers, communications channels, and clients is controlled. As the Exchange administrator, assume that you are the network owner, its employee, or its agent. The administrator does not operate a public Internet service provider (ISP) like MSN, America Online, or Yahoo!. The network is instead an intranet with communications channels that allow its users to send and receive e-mail; exchange files including video, music, text, data; instant message within the network; and send and receive information over the public Internet. The network administrator has authority and responsibility for the security of the Exchange server, all messaged content, stored and transiting data, and client security.
Access and Control Regimes
With a private network, network access controls, the use of authentication to ensure identity, and the use of audit logs to check the activity of trusted users are all legally straightforward. If you own the network, you can raise technical barriers to unauthorized access. The legal theory is identical to that of real property; unauthorized access is basically trespassing. It s acceptable to put up a digital fence and be a gatekeeper. This is hardly novel legal stuff. If a network user has access because of an employment relationship, the owner of the network can set the rules for access and use of network resources. Misuse of the network and its resources is not only a violation of the rules of the road for the network and continued employment, but a form of theft of the network s resources. To be sure, there can be other violations of rules, too. For example, harassing e- mails might involve theft of network resources and violate other laws. Downloading video on company time can absorb network bandwidth, use valuable space on the client s hard disk, be a violation of copyright laws, and so forth. In short, a private party can control its property and protect against unauthorized access and theft, with little legal restraint.
Issues Facing the Administrator
Most of the tricky legal questions embedded in managing an Exchange environment involve balancing privacy interests with surveillance interests. If the content of an Exchange message is disclosed, the first legal question is whether the disclosure was in violation of the rights of the message originator or the message recipient, and whether the network owner has any culpability or liability. The precise rights at issue depend on the status or function of the message originator (such as an employee, credit reporting agency, public servant, or broadcaster ) at the time of the message as well as the status of the recipient (such as a minor, public servant, prisoner , employee, union worker, or political candidate) and the function of the message interceptor (such as law enforcement, administrative agency, ISP, transmission networks, corporate firewall, intranet administrator, or coworker).
Of course, different rules apply depending on who s doing the interception, and why. If the government conducts the surveillance of the network itself, or if it obtains an order requiring the provider to monitor on the government s behalf , this is different from the case where the administrator is simply managing his or her own network to ensure compliance with access and use policies, or for some other valid business reason. In all circumstances, the administrator can expect significant resistance to the idea of surveillance of employee e-mail and Internet use. Even if undertaken for valid business purposes, such control might be criticized as unnecessarily invasive and occasionally illegal. Many of the legal questions in this area, particularly as they relate to the workplace, remain unsettled.
Explicit Network Access and Use Policies
Without a written policy providing notice to all network users, an administrator will have difficulty enforcing any rules of the road. A well-written policy alerts network users that privately owned computers and networks are provided for the benefit of the network owner and its business purposes. Removing or adding software programs from the client or the network should be strictly controlled. To the extent that some personal use is permitted, an effective policy should make clear that all use must meet generally accepted professional standards. Examples include prohibiting employees from visiting gambling, pornographic, or hate group Web sites; downloading sexually explicit images whether protected speech or not; and downloading copyrighted music, video, or games to a work computer. A comprehensive policy also establishes an e-mail policy barring off- color jokes as well as inappropriate humor, abusive , profane, or threatening messages.
Accordingly, a good policy will notify employees of any monitoring of computer usage of electronic communications by clear and conspicuous means, and it will be updated regularly and whenever monitoring policies change. The policy should also disclose the form of monitored communications, the manner in which the monitoring is accomplished, the frequency of monitoring, the type of information obtained through monitoring, and how such information is stored, how it is used, and how it might be disclosed to third parties.
Enforcement of the policy will likely require inspection of hardware issued to employees as well as e-mail and Internet use monitoring. Such surveillance is unlikely to be constantly necessary, but the administrator s obligation and entitlement to such information should nonetheless be clearly established in the written policy. As part of the announced policy, a network administrator might also take advantage of software that blocks access to certain categories of Web sites, or detects when prohibited language is used in e-mail correspondence.
Monitoring typically leads to improved network performance as well as discipline or termination of employees. When challenges to surveillance on the part of employers have occurred, assuming access and use policies are in place, courts have typically held that employees have no reasonable expectation of privacy in employer-provided technology. Typical complaints from employees against network administrators include claims the administrator violated the federal Electronic Communications Privacy Act, the federal Electronic Communications Storage Act, a state constitutional provision or privacy statute , the Fourth Amendment (if the employer is a public entity), or employees right to privacy as derived from common law. Each ground is looked at briefly in the following material.
The Interesting but Complicating Role of the Internet
From the perspective of the law, ready access to the public Internet transforms each network user into a potential publisher, political speaker, artist, or even a presidential candidate. In addition, because messaging over the Internet travels over many different types of proprietary physical networks including telephone, cable, and satellite systems as well as the licensed and unlicensed wireless spectrum, the abstract legal principles at the policy level are quite complicated. One thing is certain: if the Exchange network s clients are Internet enabled, the network can be utilized to commit crimes or incur civil liability, possibly for the network s owner or operator.
Network users can contact coconspirators, deliver threats, perpetrate frauds, or engage in other criminal activities. When the Exchange network is used to further crimes, the functioning network and its operational records constitute a crime scene. Transiting data, stored e-mails, message address and origination information, and even undelivered data packets can contain important clues for law enforcement. The Exchange network is like a small neighborhood and the network s users are its members . The availability to reach through to the public Internet means each member of the local community is also a member of an infinitely varied and geographically dispersed community.
EAN: 2147483647
Pages: 189